A board pack is the most concentrated package of sensitive information a company produces (strategy, finances, legal exposure, personnel, deals) and at most organisations it's distributed with less care than the office Wi-Fi password. Here are the six methods boards actually use, RAG-rated, with the failure modes I've seen for each.
First, the uncomfortable framing. Non-executive directors are what the NCSC calls high-risk individuals: people whose access makes them disproportionately attractive targets, who typically operate on personal devices and personal accounts, outside any corporate IT perimeter. An attacker who wants your company's secrets doesn't need to breach your firewall. They need to phish one INED's ten-year-old Gmail account. I spent years at Diligent deploying secure board platforms to FTSE and Fortune 500 boards; the gap between how those boards handle papers and how a typical UK board does is the single widest security gap I know of in British governance.
The six methods, rated
| Method | Rating | Verdict |
|---|---|---|
| Personal email attachments | RED | Stop today. The pack now lives forever in an account you don't control, can't wipe, and didn't secure. |
| WhatsApp / consumer messaging | RED | Fine for "running ten minutes late". Indefensible for documents. |
| Consumer file-sharing links | RED | Personal Dropbox links with no expiry are personal email with extra steps. |
| Company email attachments | AMBER | Better, though attachments are copies, and copies multiply onto every device, forever. |
| Enterprise file sharing, done properly | AMBER | SharePoint or Google Drive with named access, MFA, link expiry, and no downloads can be genuinely good. Most aren't set up that way. |
| A board portal | GREEN | Built for exactly this. Now priced for ordinary boards, not just the FTSE. |
Red: personal email
The most common method at small organisations, and the worst. The company secretary sends the pack to directorname@gmail.com because that's the address the director gave. From that moment the company has lost custody: the document sits in an account whose password the company doesn't set, whose two-factor status it can't verify, synced to devices it has never seen, searchable by anyone who ever compromises that mailbox. Email compromise of senior individuals' personal accounts is one of the most reliably productive attacks there is; it's precisely why the NCSC publishes dedicated guidance for high-risk individuals. And when the director retires, every pack they ever received retires with them, into an inbox nobody will ever audit.
Red: consumer messaging
WhatsApp's encryption in transit is genuinely good, which is why people wave it through. But the documents land unencrypted in the phone's storage and the chat's media folder, back themselves up to whatever cloud account the handset uses, and live in a thread that can be forwarded in one tap. Worse, informal channels breed informal decisions: a board that discusses board business on WhatsApp is also manufacturing a discoverable record outside its own minute book. Logistics, yes. Materials and substantive discussion, no.
Red: consumer file-sharing links
"I'll just put it in my Dropbox" combines the custody problems of personal email with a new one: anyone-with-the-link sharing. Links get forwarded, sit in inboxes indefinitely, and rarely expire. If a file-sharing service is the right tool, it must be the company's tenancy, not an individual's account.
Amber: company email
A real improvement: corporate accounts can enforce MFA, be wiped when a director leaves, and sit inside someone's security monitoring. Two problems remain. Attachments are copies: every pack sent is a pack duplicated onto every recipient's every device, beyond recall the moment it leaves. And UK boards rarely issue corporate accounts to NEDs at all, which quietly routes everything back to the red column. If email is your method: corporate addresses for every director, MFA enforced, and a standing rule against forwarding to personal accounts.
Amber: enterprise file sharing, done properly
The tools most organisations already pay for (Microsoft 365, Google Workspace) can host board papers well: a dedicated, access-controlled area; named individuals rather than open links; MFA enforced; viewing online rather than downloading; links that expire after the meeting cycle; access revoked the day a director steps down. The catch is the phrase done properly. In the wild I mostly find packs in a folder shared once in 2021 to a list nobody has reviewed since, with former directors still on it. The technology is adequate; it's the administration that fails. If nobody owns the access list, you don't have an amber method: you have a slow-motion red one.
Green: a board portal
Purpose-built platforms such as Diligent, OnBoard, iBabs, Board Intelligence, and Convene exist because boards have exactly this problem. Documents stay on the platform rather than scattering as copies; access is per-person and revocable in one action; everything is encrypted, auditable, and wipeable from a lost device; and the pack for the director who resigned yesterday disappears today. A decade ago this was FTSE-budget software. It no longer is: entry-level portal pricing now sits comfortably inside what most boards spend on sandwiches for board meetings. If your organisation can afford a board, it can afford a portal; and if it genuinely can't, the properly-administered amber option above is an acceptable floor.
The minimum standard, whatever you choose
- MFA on every account that touches board material. Non-negotiable, especially for directors' own accounts.
- No forwarding to personal accounts. Write it down, adopt it, and have the chair model it.
- A leaver routine for directors. The day a director departs, their access dies and their copies are deleted or returned. If your method can't do this, that fact alone is the case for changing method.
- An owner. One named person, usually the company secretary, owns distribution, the access list, and a twice-yearly review.
- Device basics for directors. Updates on, screen lock on, and board material off the shared family computer. (This is the heart of my Cyber Security for Directors work.)
One last connection worth making: distribution is also where AI risk enters. A director who receives the pack as a PDF attachment can paste it into a chatbot in seconds; a portal that renders documents on-platform makes that materially harder to do casually. The same single decision, taking custody of your board materials seriously, quietly closes more than one door. I've written about what directors are actually doing with AI; the distribution method you choose determines how much of it is even possible.
Ask one question at your next meeting: "How does this pack actually reach each of us, account by account, device by device?" If the honest answer includes the word "Gmail", you have this quarter's easiest governance win sitting in front of you.